Hello, I am trying to learn a little about the basics of logging in. I made a couple of very simple pages. The first page is the one you come to after pressing the submit button on the login form. It will set a session cookie and a client cookie to the same random number if you have supplied the right credentials (bunny/carrot). I think you call it CSRF-cookie. (The login form also sends the time for its load as a hidden variable.) session_start(); $login = true; if ($_SERVER['HTTP_REFERER'] != "http://example.com/login_form.php") {$login = false;} // must be referred from the form if ($login && ($_POST['time'] < (time() - 30)) ) {$login = false;} // must fill form within 30 seconds if ($login && ($_POST['user'] != "bunny") ) {$login = false;} if ($login && (md5($_POST['password'])!= "005d05de29487ec44cd07bd9d757d4e1") ) {$login = false;} // MD5 for "carrot" if ($login) { $r = rand(0, 1000000); setcookie("CSRF_Token", $r); $_SESSION['Login_Token'] = $r; echo "you have logged in"; } else { $_SESSION['Login_Token'] = 'not authorized'; echo "you supplied the wrong credentials"; } Code (markup): The second page is how I plan to protect the information from not logged in guests. - The client cookie and the session cookie must be the same. session_start(); if(isset($_COOKIE['CSRF_Token'])) $CSRF_Token = $_COOKIE['CSRF_Token']; if ( ($_SESSION['Login_Token'] != '') && ($CSRF_Token == $_SESSION['Login_Token']) ) { echo "This is only seen by logged in users."; } else { echo "You are <u>not</u> logged in"; } Code (markup): I haven't done this before. Is this way of doing it OK? Have I missed something?
Nope, the cookie and session can't be the same... if someone uses the same cookie he can login. Cookie value has to be checked on userip/hostname or other user based variables. Referers can be alterd by browsers.
Thank you for input, Eric. I think this takes care of the important point you raise? session_start(); $login = true; if ($_SERVER['HTTP_REFERER'] != "http://example.com/login_form.php") {$login = false;} // must be referred from the form if ($login && ($_POST['time'] < (time() - 30)) ) {$login = false;} // must fill form within 30 seconds if ($login && ($_POST['user'] != "bunny") ) {$login = false;} if ($login && (md5($_POST['password'])!= "005d05de29487ec44cd07bd9d757d4e1") ) {$login = false;} // MD5 for "carrot" if ($login) { $r = rand(0, 1000000); setcookie("CSRF_Token", $r); $_SESSION['Login_Token'] = $r; $_SESSION['IP'] = $_SERVER["REMOTE_ADDR"]; echo "you have logged in"; } else { $_SESSION['Login_Token'] = 'not authorized'; echo "you supplied the wrong credentials"; } Code (markup): session_start(); if(isset($_COOKIE['CSRF_Token'])) $CSRF_Token = $_COOKIE['CSRF_Token']; if ( ($_SESSION['IP'] == $_SERVER["REMOTE_ADDR"]) && ($_SESSION['Login_Token'] != '') && ($CSRF_Token == $_SESSION['Login_Token']) ) { echo "This is only seen by logged in users."; } else { echo "You are <u>not</u> logged in"; } Code (markup):
md5 alone is not safe anymore. Try this tool: http://www.md5decrypter.com/ Use a hash in your password, otherwise you can decode the password with sites like the above (also for sha1 and others)
OK, they cracked "carrot". (I guess they have MD5-encrypted an entire dictionary.) What can I use instead? (I do not seem to know the difference between MD5 and hash. I call MD5 a "hash".) But the general idea of comparing user cookies and session variables is OK? Thanks.
Now I suddenly find a big problem. If I close the browser (while I am logged in) and then reopen it, IT IS STILL POSSIBLE FOR ME TO SEE PAGES RESERVED FOR LOGGED IN MEMBERS. How can this be possible? I thought the session cookie would be erased when I closed the browser?